It appears that Rep. Jim Langevin (D-R.I.) has proposed legislation to establish a National Office for Cyberspace in the Executive Office of the President. The Director of that office — whom the press would immediately dub the Cyberspace Czar — would chair an interagency “Federal Cybersecurity Practice Board.” Together, they would develop and police the implementation of policies to achieve “Governmentwide protection of Government-networked computers against common attacks” and “agencywide protection against threats, vulnerabilities, and other risks to the information infrastructure within individual agencies.” Question: Does the experience of the Office of the Director of National Intelligence suggest this sort of strategy is effective at overcoming the interagency frictions, competition and/or lack of trust that impede policy progress in the domain of national security? I voice this as a real, not rhetorical question.
Join the Discussion!
This is a forum for the researchers, policy makers, and professionals who focus on cybersecurity and others around the world interested in the topic. Links to the archived webcast of our event can be found on the right.
Paul Rosenzweig has an intriguing online post on the difficulty presented, in designing national cybersecurity policy, in calibrating the right balance between government capacity and the protection of liberty. He wisely writes: ”[T]his challenge is not readily susceptible to a rote answer based on ideology.” Paul argues, however, that he would generally strike the balance against “excessive government power.” Relying in part on insights of Martin Libicki, he concludes ”that if cyber deterrence is less dependent on the quickness of a response than on its certainty, then the argument for strong presidential authority is appreciably diminished.”
One can’t help but think that McFate (as Nabokov called him) has a special place for Sarah Palin and Senators Lieberman and Collins. After Palin called for ‘drill , baby, drill’ McFate obligingly arranged for BP to have a spectacular oil spill. Then, no doubt pleased with himself, McFate arranges for Middle Eastern governments to hit the kill switch on the Internet a few months after the Senators introduce the so-called Internet kill switch bill.
The bill, now stripped of its kill switch provision (though the same authority still resides in Section 706 of the Telecommunications Act of 1934) has been reintroduced by Senators Lieberman, Collins, and Calpers)as the Cybersecurity and Internet Freedom Act (S413).
I’m not going to take up the refrain already coming from the privacy community (mafia would be a better term) — I have my own issues with their perspective. My concerns about S413 are based on the boring reality of life– that oftentimes it is the details that matter. (And, in the interests of full disclosure, the text of S413 is not available as I write this, so I’m basing my comments on provisions in the earlier bill).
Here’s the problem: the heart of the bill is a well-meaning attempt to create a public-private partnership to protect ‘the nation’s most critical infrastructures’ that will result in one of two outcomes:
- MOST LIKELY, it will mean little and accomplish nothing;
- IN THE WORST CASE (if McFate’s evil twin has his way), the bill would create a system for national security- driven cybersecurity investments that will make Ptolemaic astronomical predictions look commonsensical by comparison.
As I said, the bill was written by well-meaning people. Within DHS it would create a National Center for Cybersecurity and Communication (NCCC) with a Senate approved Director. With the NCCC in place three things would happen:
1. Mandatory security requirements would be imposed on ‘specific systems or assets whose disruption would cause a national or regional catastrophe.’ These ‘covered critical infrastructures’ would be identified collaboratively, of course, with the private sector. And, in a version of the Lawyers and Lobbyists Full Employment Act, owners/operators of covered critical infrastructures could appeal their inclusion through ‘administrative procedures’ (unspecified?).
2. Hopefully a collaborative environment between the NCCC and the private sector would emerge. The bill seems to waffle a bit on this; according to the accompanying White Paper ‘although owners/operators of covered critical infrastructures would be required to report on cyber attacks.. the NCCC would not have the authority to compel this disclosure.’
3. The NCCC would set risk-based security performance requirements for covered systems in conjunction with the private sector. The risk/mitigation profile would drive the choice of security measures that would, in ways unspecified, satisfy the risk-based security performance requirements.
In other words, some cyber systems would be designated as national security critical; owners/operators of these systems would have to invest in additional security to meet national security criteria.
This approach has many problems but here’s two: first, that there is almost no data, let alone an agreed upon approach, for doing most cyber-based risk analysis; and second, the link between reducing risk and taking certain security actions is tenuous at best.
For instance, insider threats (say, security violations coming from people who have legitimate passwords) are widely acknowledged as being among the most serious threats, and certainly would be an important element in any risk-based security performance requirements. Two problems — there are no — repeat no — records of insider threats other than anecdotes or those unfortunates who are not only caught but also prosecuted (a tiny number); and two, it is unclear (or more pedantically, ‘a research challenge’) as to what to do to address the insider threat.
Hence my observation — we have in S413 a potential requirement that private owner/operators invest in additional security, but without any solidly based mechanisms to establish how, or why, the resources should be spent.
This is a recipe for bringing forth numerology and astrology dressed up as analysis, with a solid foundation of lobbying, as the basis for decisions.
I’m all in favor of the goal of S413 — solid risk based investment to secure critical national infrastructures. I just wish policy makers would embark on this process with their eyes wide open.
Obama Administration Proposes Increased Cyber Funding; GAO Finds “Persistent Control Weakness” in Federal Systems
President Obama’s FY 2012 budget plan allocates $460 million — a huge increase in appropriations — for the Department of Homeland Security National Cyber Security Division, whose job is helping to prevent attacks against U.S. information networks. The funding proposal emerges almost simultaneously with a GAO report that applauds the Administration’s commitment to cybersecurity, but finds significant challenges remaining, including ”persistent control weaknesses” in federal information systems.
Text of Letter from Senator Robert Menendez (D-NJ) to Hon. Mary Schapiro, Chairman, Securities and Exchange Commission re: NASDAQ Hacking
Dear Chairman Schapiro,
I write to raise several important concerns about the breach in the network at Nasdaq that was reported this past weekend. As you know, Nasdaq OMX Group has acknowledged that, over the course of the past year, hackers of unknown origin repeatedly tried to break into its network, specifically Directors Desk, a program that allows corporate board members and executives to exchange non-public information. Tech-savvy hackers breaching American exchanges may threaten the savings, pensions, and retirements of middle class families across the country, and it shakes the foundation of our markets that are just beginning to recover.
This disturbing information raises several pressing questions that I request that the SEC follow up on in coordination with other government agencies and private companies that are key in our financial markets. Please provide me with information about what steps are being taken in each of the following areas.
• The steps the SEC is considering taking in coordination with the Department of Justice, Department of Homeland Security, state Attorneys General, and other government agencies as appropriate to conduct a prompt and thorough investigation of the breach in the network at Nasdaq to find out who breached the network and bring them to justice. There must be serious consequences for causing disruptions to financial markets through hacking and cyber-crime.
• Consider investigating the extent to which hacking can disrupt trading platforms, both at Nasdaq and other exchanges as well, and what steps can be taken to prevent that. Although Nasdaq’s trading platform was reportedly not affected by this particular example of hacking, as a member of the Senate Banking, Housing, and Urban Affairs Committee, I have much broader concerns about the implications of this data security breach for market trading and future financial crises. One of the lessons we have learned from past financial crises, including the economically devastating crisis of 2008 and the “flash crash” of last May, is that we should be prepared for the next financial crisis by having regulations and procedures in place for potential market disruptions, even if we do not know what the exact source of that disruption will be. Security breaches by either hackers trying to gain private information for insider trading or terrorists trying to cause market disruptions is a potential source of future financial crises that we should prepare for.
• Finally, consider reviewing what policies, if any, are in place concerning when exchanges and other trading companies are required to publicly report information on security breaches, and what the effects of the timing of such revelations are on both criminal investigations and markets. The Wall Street Journal stated that Nasdaq, for example, decided to make the information about the security breach public only after the Wall Street Journal reported on it, despite the Department of Justice’s interest in the matter.
Thank you for your time, and I look forward to your response.
Cc: Attorney General Eric Holder
Homeland Security Secretary Janet Napolitano
Audit of Federal Energy Regulatory Commission’s Monitoring of Power Grid Cyber Security Finds Missing “Essential Security Requirements and Effective Practices”
A new report by the Department of Energy’s inspector general finds that critical infrastructure protection cybersecurity standards promulgated by the Federal Energy Regulatory Commission do “not always include controls commonly recommended for protecting critical information systems.” For example, the “standards did not include essential security requirements and effective practices such as defining what constituted critical assets and implementation of strong logical access controls,” and, “the Commission approved an implementation approach and schedule for the CIP standards that did not adequately consider risks to information systems.”
House Armed Services Subcomm. on Emerging threats and Capabilities is holding a hearing tomorrow at 11:30 on, “What Should the Department of Defense’s Role in Cyber Be?” Witnesses will include Greg Nojeim, of the Center for Democracy and Technology, who will also be speaking at our April 1 symposium.
I may not have coined the term ‘creeping failure’ but it perfectly describes our efforts to date to make the Internet secure.
Creeping failure is what happens when a worsening public problem doesn’t generate a crisis, and so circumstances continue to deteriorate without resolution. The destruction of New Orleans by Katrina was a crisis. The destruction of Detroit exemplifies creeping failure. As a polity it seems that we respond to crises but not to creeping failure. Yet we see examples of creeping failure throughout our public life – whether it be Detroit or climate change or k-12 education.
And so with Internet security. When I first began to work on network security issues over a decade ago, it was in the context of President Clinton directing the National Security Council to develop a national strategy to protect ‘critical infrastructures’ — especially cyber and telecommunications networks — from attack. At that time we at the NSC had great difficulty finding any real life examples of cyber threats that rose above the teenage hackers
Fast forward to now. A highly sophisticated cyber criminal underworld now flourishes, of a size and sophistication that put Prohibition or the Mafia to shame. With Stuxnet we now have the acknowledged use of state cyber power to destroy physical assets in other countries. Cyber espionage, for both national security and economic motives, occurs at a scale and speed that challenge the traditional distinction made between acts of espionage and war.
How big is this cyber security problem? It certainly is serious, but alas we don’t know how serious. Liquor store robberies are tracked with much greater precision than anything done with cyber attacks.
Over a decade ago a policy framework to improve cyber security was laid out that rested on a voluntary public-private partnership. I would challenge anyone to say that this partnership has succeeded in making networks more secure.
I lay the fault for this creeping failure on our collective failure to build the institutional infrastructure and incentives to make public private partnerships actually work. In a world where both the occurrence and cost of cyber insecurity remain hidden, markets simply don’t work to incent software developers, network operators, and large organizations to invest and act in ways that would improve collective security. This failure is compounded by the fact that the underlying protocols of the Internet are themselves highly insecure. The net result is that security becomes a matter of fortifying individual systems — the cyber analog to a form of security last seen in the Middle Ages. The mantra of ‘public-private partnership’ has become rather like sitting around a campfire singing Kumbaya and hoping for world peace — it feels good but does nothing.
In coming weeks I will blog on various aspects of how and why our current policies are failing, and how they can be corrected. Just remember — we face not a crisis in cyber security, but creeping failure. The lack of any substance behind our vaunted public-private partnerships lies at its core.
[From Peter Shane: I joked with Paul that I could not quite identify what was "conservative" about his principles, but am happy to draw attention to this thoughtful discussion.]
Abstract: In the age of the Internet, which now determines daily life for Americans, many threats to the U.S. now exist in the cyber domain. Cybersecurity is a near-constant theme in Washington, as well as for private companies around the country. Congress and government agencies are clamoring to develop policies and strategies to protect national security and commercial interests. Internet attacks are already a standard feature of modern life, and the threats and their implications—from hacking into company sites to steal credit card numbers to hacking into government computers for espionage—are growing fast. Cybersecurity must be addressed—the right way. This Heritage Foundation paper outlines the basic facts of the Internet—and the policy principles to which they lead. To see the entire paper, click here
A police state shuts down the Internet to keep itself in power. A WikiLeaks dump of diplomatic cables triggers cyberattacks on both its servers and on payment sites that refuse to support WikiLeaks. Somebody – Israelis? Americans? Both? – designs a digital virus that effectively disrupts Iranian nuclear centrifuges.
Anything here worth talking about?
Since its founding in 2004, I/S: A Journal of Law and Policy for the Information Society has been dedicated to bringing together scholarship from multiple disciplines to shed light on the legal and policy issues proliferated by the ubiquity of new digital information and communication technologies. This domain is characterized by both complexity and urgency. If anyone needed persuasion that social problems do not respect the boundaries of academic disciplines, surely our online world is doing that job. Likewise, if anyone needed persuasion that thought leaders from both inside and outside the academy needed to find ways of collaborating.
On April 1, 2011, for its 2011 Annual Symposium, I/S has chosen the topic, “Cybersecurity: Shared Risks, Shared Responsibilities.” We hope that, by bringing together experts in law, information science, engineering, national security, and public policy, we can help get past ambiguous concepts and aspirational rhetoric to elaborate concrete ideas for achieving acceptable levels of cybersecurity. More specifically, experts and public authorities frequently call for “private/public partnerships” to address our vulnerabilities, but the concept remains vague. What precisely are the relevant threats? Who is going to do what to meet those threats? What are the real impediments to making and implementing effective cyber policy? What could go wrong?
We hope this blog will be a robust forum for sharing news, ideas, opinions, and analyses on cybersecurity. I have been privileged to serve as a lead organizer for the symposium along with Dr. Jeffrey Hunker, and a great student team. Please don’t let ours be the only voices heard here. Join us on April 1 at Ohio State or via our free web cast and, equally important, let’s get the conversation going now to help focus our symposium productively on the questions of policy that all informed citizens should now be discussing.